Developing websites,
either for information sharing or commercial use should be done in a safe and
secure manner, so that the people or the general public who actually benefits
from those sites will not lose their confidential information or get infected
by malware.

Input Validation

Presently many websites
have the options of Sign up and Sign in. It may be to subscribe to that
specific site, to do online shopping or may be even for online banking. For
this , the website needs user inputs but these inputs can both be positive and
negative as the user is not always restricted in submitting inputs. Therefore
it is very important to treat all user input as potentially malicious and
validate them. This input validation can be handled in numerous ways.

a.

Whitelisting (Accept known good)

In this, only a set of
safe inputs are allowed and all other inputs are blocked by default. This is the
best technique that should be used to validate all input whenever possible.

A Whitelist is basically a
list which says "A, B and C is good (and everything else is bad)".

b.

Blacklisting (Reject known
bad)

In this method it blocks
certain malicious inputs from being submitted. This is the least secure way of
input validation. The risk of using this method is that the set of possible bad
inputs are potentially infinite.

A Blacklist is basically a
list which says "A, B and C is bad (and everything else is good)".

c.

Sanitization

This method is for
filtering out characters which are dangerous and still allowing legitimate
inputs. It should be used when there is a large range of inputs to be accepted
for correct functionality.

Inputs should not only be
validated at the point of entering because client side input validation can be
easily bypassed by using a local proxy. Thus data input should be validated at
the backend too.

Injection

Even though it’s very
simple to avoid many applications are still susceptible to these attacks. An
injection is something that tricks an application into including unintended
commands in the data sent to an interpreter. The interpreters can be SQL, OS
Shell, LDAP etc. The impact of an injection is usually severe. An entire
database can be read or modified. It may also allow full access to a database
schema or even an account.

How to avoid injection
flaws in web applications?

1.

Avoid the interpreter
entirely

2.

Use an interface that
supports bind variables (e.g.- Prepared Statements or Stored Procedures)

3.

Encode / escape all user
input before passing it to the interpreter

Enforce Proper Error Handling

Web applications
frequently generate error conditions during normal operations. Sites should
never return system generated error messages or debug information to the user.
Proper exception handling should be used to trap errors and display customized,
non-informative errors to the users.

Good error handling
techniques should be able to handle any practical set of inputs, while enforcing
appropriate security. Simple error messages should be generated and logged so
that their cause, whether a fault in the site or a hacking attempt can be
evaluated. Handling of errors should not only be done for user inputs but also
for any errors that can be produced by internal sections such as system calls
and database queries. To determine whether a web application is vulnerable,
simple testing can be done by checking how the site responds to various input
errors. Comprehensive testing should be usually done to cause internal errors
and see how the application performs.

How to protect a site?

1.

Return simple error
messages to the user and log a more detailed error message to the server.

2.

Provide the user with data
validation errors, but do not provide developer level debug information.

3.

Enable detailed logging
features so that it can be reviewed for anomalies and would make it easier to
track cyber criminals.

Cross-Site Scripting (XSS)

XSS impacts users in
various ways. The most typical are stealing a user’s session, stealing sensitive
data, rewrite web page or even redirect the user to a phishing site. More
severely, it can install a XSS proxy which allows an attacker to observe and
direct all user’s behavior on vulnerable site and force user to other sites.

It is very difficult to
identify and remove XSS flaws in a web application. The main thing to do will be
to carry out a security review of the code and search for all places where an
input from a HTTP request could possibly make its way into the HTML output.

The best method to protect
a site from cross-site scripting is to guarantee that the web application
performs validation of all cookies, query strings, form fields against a precise
specification of what should be permitted.

Enforce Proper Authentication and Session Management

Authentication and session
management is an important part of web applications. It is vital to authenticate
users of sites and mange active sessions in order to keep the site safe. Solid
authentication methods can be bypassed by flawed credential management methods
like password change, forgot my password or even remember my password functions.

A typical websites user
authentication involves a user id and a password. Failure to manage sessions and
account authentication can make a website vulnerable to attacker. So, complex
session management and authentication methods should be used to protect the
credentials of the user as therefore to protect the web site from potential
threats.

Session management can be
done by using cookies, embedded session IDs in query stings or using hidden
fields. Whichever method is used if session tokens are not properly protected,
an attacker can hijack an active session and assume the identity of a user. So
session tokens should be generated with sufficient randomness, complexity and
length.

Code review and
penetration testing can be done to determine and analyze whether a specific web
application is vulnerable in authentication and session management.

Having a log out option
and automatic session expiration would help to protect a web application. Other
than that developers could also implement various features that are mentioned
below.

Session ID

A user’s entire
session should be protected through SSL, so it cannot be hijacked through a
network.

Password Strength

Minimum Size,
complexity (alphanumeric/special characters)

Password Use

Restricting the user
to a defined number of login attempts, users, should change their password
occasionally; users should not be able to use old passwords again

Password Storage

Passwords should be
stored in either hashed or encrypted form.

Insecure Storage

Information is one of the
most important things in a web application. Mainly sensitive information that a
user might have or share with a site (passwords, credit card numbers and account
records). These types of information are normally stored in encrypted form so
that it is impossible for an attacker to access them. The problem with sensitive
data is that web developers fail to identify all of it and sometimes they even
fail to recognize all the places that this information will be stored.

The impacts of insecure
storage are that attackers will be able to access or modify confidential and
private data of users. This could lead to company embarrassment, customer
dissatisfaction and loss of trust. In some countries the company might get sued
or fined, due to non compliance of regulatory requirements like PCI DSS etc.

Identifying all the
sensitive data, all the places that it is stored and then applying suitable
protecting mechanisms of file encryption, database encryption and data element
encryption will protect you from unwanted attacks.

Denial of Service

Web sites are mainly
vulnerable to denial of service attacks, because an application cannot easily
differentiate between an attack and normal traffic. Denial of service attacks
will consume lot of resources so that even genuine users will not be able to use
the system. Other type of impacts are attackers might target a specific user by
sending invalid credentials until the system locks out that users account or
might request a new password for a user and gain access of his account.

It is hard to detect and
protect yourself against denial of service attacks. It would be best if test
tools can be used to generate web traffic and test how a certain web application
behaves under a heavy load. Limiting the resources allocated to a specific user
can also help into some extent.

The above mentioned types
are not the only ways a web application will get attacked or neither are those
the only types of vulnerabilities found in a website. In the present world the
number of web servers and applications are growing rapidly day by day. So,
developers must always assume that their sites are at-risk and vulnerable. Other
than the damage a vulnerable site can have on its owner, it can also pose a
threat to a whole lot of internet users because unsecured sites are commonly
used for phishing and malware attacks.

One of the best ways to
secure a site and keep it away from unwanted attacks is to install patches when
they are available for different components of the system and eventually do
regular audits by professional security firms especially if your site has any
credit card information, passwords and other sensitive data. You might think you
can spot all of your own mistakes but trust me it always good to get another
pair of eyes looking for vulnerabilities.

Dharaka Ellawala

Dharaka is an
undergraduate of Informatics Institute of Technology who is currently
following B.Eng (Hons) in Software Engineering. Currently he is working as
Intern - Information Security Engineer at Sri Lanka CERT|CC .

'....Simply put, Shodan
is a search engine. While Google crawls the Internet looking for websites,
Shodan is scanning for devices connected to the Internet and recording
information about the software running on those devices. What has the press
and security professionals worried is that Shodan has revealed wide-scale
holes in Internet safety, from somewhat embarrassing privacy oversights to
keep-you-up-at-night vulnerabilities in critical infrastructure......'

'....Recently foreign
media have been hyping up "cyber attack from China" and the talk of a "Chinese
hacking threat" is in the air. But it turns out that China is actually the real
victim of cyber attacks, Xinhua reported, citing statistics from the National
Computer Network Emergency Response Coordination Center of China (CNCERT/CC).

The number of Internet
users on the Chinese mainland keeps rising sharply, but Chinese users don?t take
net safety protection as seriously as do most western users. Hence China has
become the biggest victim of Internet hacking......'

While digging in depth
into the original sample, we found that the exploit uses highly
sophisticated exploitation techniques to attack various Flash Player
versions. It also includes ?user-friendly?

tricks that give no
signs or symptoms to its victims

The ingenious exploit
uses a previously unknown technique to craft the heap memory on Flash
Player. With the aid of a regular expression-handling vulnerability that is
related to a heap-based buffer overflow, the attack can create a highly
reliable memory information leak that allows the exploit to bypass the
usually effective exploitation mitigations of address space layout
randomization (ASLR) and data execution prevention (DEP) on Windows